Claim Rules for different groups RRS feed

  • Question

  • We have the below claim rule in affect now for all our users, it was implemented using PS command:

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
     && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    Basically states if coming in through a browser then get prompted for Multifactor.  This works well as expected.  

    We would like to do some testing with this rule but only apply it to an AD group of users:

    NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
    Value=="Microsoft.Exchange.ActiveSync"]) && exists([Type ==  "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
    && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"])
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    We would want anyone who is not a member of our test AD group to get the first (default) claim rule applied to them and anyone who is in our test AD group get this second claim rule applied to them.

    Is it possible to accomplish this?  If so, how can we do this?  Appreciate any help.


    Wednesday, May 25, 2016 11:58 AM